Most of the current key exchange techniques are based on public-key cryptography. Are there any key exchange/establishment techniques based on symmetric-key cryptography too?

In my setup primary assumption is both communicating parties can have pre-shared key and further they need to exchange messages to derive a longer key for secure communication. (Quantum key distribution is not option for me.)

DH assumes two parties have no prior knowledge , and its basically key transport protocol for open systems like internet, in my case two parties know each other and already share a pre-shared key
–
sashankOct 17 '12 at 1:10

2

@StephenTouset: Diffie-Hellman actually is an example of asymmetric cryptography (even if the actions of both sides look quite "symmetric").
–
Paŭlo EbermannOct 22 '12 at 20:11

4 Answers
4

Yes, these are key derivation functions basically deriving a shared secret from information identifying the two parties (like their respective MAC addresses) and nonces and other session communication relevant information. See e.g. the PBKDF2 derivation function.

PBKDF2 isn't by itself useful for key exchange over an unencrypted channel, since both hosts still have to know the same information to provide as inputs.
–
Stephen TousetOct 16 '12 at 22:45

2

I assume you're mislead by the use of the wording "key exchange", but I refer you to the wording of the question, which is about "key establishement" or in other words, key agreement. Sashank specified that a preshared secret (PSK) exists already between the two parties so there is no problem with exchanging the remaining information on the public channel (nonces, identity based information, etc.). For information, this is also how things work in wireless pairings...
–
bobOct 17 '12 at 8:33

Ah, yep. For some reason, I didn't notice the bits about having a pre-shared key. PBKDF2 (or alternatively a simple HMAC-SHA-256 over some shared data) should be enough to generate a key.
–
Stephen TousetOct 17 '12 at 17:23

Sure. Needham-Schroeder (e.g., Kerberos) solves exactly this problem. If each party shares a key with a trusted party Trent, then it provides a protocol that Alice and Bob can use to establish a session key good for use for encrypting traffic between the two of them. Kerberos v4 uses this in a purely symmetric-key setting: no asymmetric (public-key) cryptography.

Basic Needham-Schroeder is vulnerable to a replay attack. Any pointer to a description of a (perhaps formally verified) protocol without this vulnerability, or/and to the protocol in Kerberos 4?
–
fgrieuOct 23 '12 at 13:31

@D.W. : Yes, Wikipedia's Kerberos protocol article lists a few RFCs that explain the protocol. I wish someone would edit Simple Wikipedia's Kerberos protocol article to explain it in a way that normal humans could understand.
–
David CaryNov 2 '12 at 15:03

If the two parties have a pre-shared key, you don't need any key exchange!

In case you are looking for a key exchange mechanism based on symmetric key cryptography (and without pre-shared keys), the only thing I can think of is Merkle puzzles (historically the first public key algorithm). Unfortunately, there is a catch: if the cost of the protocol is $n$ operations, it is possible to break it with $n^2$ operations. The difference between the cost of the protocol and attacks is too small therefore while Merkle puzzles are interesting from an historical perspective they are not really practical.

Well the nature of preshared key in my case is very short , so am looking for some protocol to run to agree upon a large key or some kind of key synthesis to generate large key
–
sashankOct 17 '12 at 14:00

@Vucamille: And on top of this, even if the pre-shared key has a good entropy, the key tends to weaken with use; this is the reason why session keys are used instead and changed frequently; hence, there is a need for key derivation based on pre-shared keys; one might to call this key agreement since other infos such as nonces are also introduced...
–
bobOct 17 '12 at 21:25

+1 to this answer. I don't know why this answer was down-voted. It is perfectly valid and responsive to the original question.
–
D.W.Oct 23 '12 at 2:47

@Vucamille: +1 for the remark that two parties with a pre-shared key don't need any key exchange. But that's in theory; in practice, a key might be good only for a limited number of use (e.g. because of DPA attacks, or because a cipher's block size is relatively small), creating the need for a session key.
–
fgrieuOct 23 '12 at 11:06

Why shouldn't the nonce be sent in the clear? They do not need to remain secret, the pre-shared key serves this purpose already.
–
bobOct 17 '12 at 21:26

If you send a nonce in the clear, you only gain security if you have access to a one-way trapdoor function, otherwise the nonce is quite useless: An attacker can replicate all stepts, except the pre-shared key. And this is equal to the security of the pre-shared key alone. However, the question was to "derive a longer key for secure communication.", which I understand as increasing the key length/entropy/keyspace...
–
tyloOct 18 '12 at 9:24

1

You don't need a OWTF but basically a pseudo-random function (PRF). The purpose of the key derivation is to provide a session key and bind it to the communication specificities (date, end points, etc.); the nonces ensure freshness and do not require secrecy. It definitely does not increase the entropy of the secret.
–
bobOct 18 '12 at 9:40

1

It should perhaps be stated that PAKE isn't symmetric-key cryptography. PAKE protocols use asymmetric (public-key) cryptography internally, e.g., Diffie-Hellman or similar asymmetric cryptography. Also, using symmetric-key cryptography does not require relying upon a passphrase. You could have a pre-shared symmetric key, and use that for key derivation.
–
D.W.Oct 23 '12 at 2:46